Monday, October 18, 2010

CERT-Finland has reported a newly discovered technique that evades network and security devices -- namely IDS/IPS systems, but could also work against network firewalls and Web application firewalls -- and lets attackers sneak in and conduct targeted attacks against an enterprise network.

The threat, which was discovered by researchers at Stonesoft's Helsinki labs, is based on vulnerabilities inherent in several vendors' IDS/IPS products, according to CERT-Finland, which has alerted the affected IDS/IPS vendors. The names of the vendors and their products have not been released publicly.

Jussi Eronen, head of vulnerability coordination at CERT-FI, which first issued an alert on the threat on October 4, will update its vulnerability alert on the threat today.

[...]

ICSA Labs has verified the attack and is also sounding the alarm about the risk to enterprises. Jack Walsh, intrusion detection and prevention program manager at ICSA Labs, says it could take some time for network security vendors to add protection for this attack to their products, thus leaving enterprises at risk until those patches become available. IDS/IPSes, firewalls, next-generation firewalls, and Web application firewalls are most at risk of this evasion technique, he says.

[...]

Some vendors may need to re-architect their products to fix this, while others may have to patch or build in protections, ICSA's Walsh says.

Meanwhile, CERT-Finland's Eronen wouldn't provide details of the products known to be affected thus far or their weaknesses that allow for the attack since coordination among the vendors is still under way.

"If [targeted] networks have systems that are for some reason left unpatched -- legacy systems, no supported patches available, compliance does not allow for any system modification, just to name a few possible reasons -- and IDS/IPS systems are employed as virtual patches, then these systems are particularly vulnerable to attacks using evasion techniques," Eronen says.